Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

With --leak-test at the final interp->exit_handler_list = NULL; interp is already freed #765

Closed
rurban opened this Issue · 3 comments

4 participants

@rurban
Collaborator

With --leak-test at the final interp->exit_handler_list = NULL; interp is already freed

I see two problems with --leak-test:
1. invalid write interp->exit_handler_list = NULL;
2. invalid call Parrot_x_jump_out with freed interp

gdb --args ./parrot --leak-test first.pir

Breakpoint 1, 0x000000000041a8c0 in __asan_report_error ()
(gdb) bt
#0 0x000000000041a8c0 in __asan_report_error ()
#1 0x000000000041ace7 in __asan_report_load8 ()
#2 0x00007ffff6c72539 in Parrot_x_jump_out (interp=, status=)
at src/exit.c:71
#3 0x00007ffff6c72657 in Parrot_x_exit (interp=0x7ffff2f4be80, status=0) at src/exit.c:124
#4 0x00007ffff6c2bbfd in Parrot_api_destroy_interpreter (interp_pmc=)
at src/embed/api.c:320
#5 0x00000000004070e6 in main (argc=, argv=)
at frontend/parrot2/main.c:175

$ ./parrot --leak-test first.pir

first

==15822== ERROR: AddressSanitizer heap-use-after-free on address 0x7f18877aafe8 at pc 0x7f188b4d1539 bp 0x7fff0710fd90 sp 0x7fff0710fd88
READ of size 8 at 0x7f18877aafe8 thread T0
#0 0x7f188b4d1539 (/home/rurban/Perl/parrot/parrot-git/blib/lib/libparrot.so.4.3.0+0x40c539)
#1 0x7f188b4d1657 (/home/rurban/Perl/parrot/parrot-git/blib/lib/libparrot.so.4.3.0+0x40c657)
#2 0x7f188b48abfd (/home/rurban/Perl/parrot/parrot-git/blib/lib/libparrot.so.4.3.0+0x3c5bfd)
#3 0x4070e6 (/home/rurban/Perl/parrot/parrot-git/parrot+0x4070e6)
#4 0x7f1888118ead (/lib/x86_64-linux-gnu/libc-2.13.so+0x1eead)
0x7f18877aafe8 is located 360 bytes inside of 384-byte region [0x7f18877aae80,0x7f18877ab000)
freed by thread T0 here:
previously allocated by thread T0 here:
==15822== ABORTING
Stats: 1M malloced (1M for red zones) by 1561 calls
Stats: 0M realloced by 82 calls
Stats: 0M freed by 474 calls
Stats: 0M really freed by 0 calls
Stats: 44M (11271 full pages) mmaped in 11 calls
mmaps by size class: 8:16383; 9:8191; 10:4095; 11:2047; 12:1024; 13:512; 14:256; 15:128; 16:64; 17:32; 18:16;
mallocs by size class: 8:1147; 9:20; 10:17; 11:204; 12:57; 13:109; 14:2; 15:1; 16:1; 17:1; 18:2;
frees by size class: 8:230; 9:10; 10:7; 11:190; 12:30; 13:4; 15:1; 16:1; 17:1;
rfrees by size class:
Stats: malloc large: 3 small slow: 21
Shadow byte and word:
0x1fe310ef55fd: fd
0x1fe310ef55f8: fd fd fd fd fd fd fd fd
More shadow bytes:
0x1fe310ef55d8: fd fd fd fd fd fd fd fd
0x1fe310ef55e0: fd fd fd fd fd fd fd fd
0x1fe310ef55e8: fd fd fd fd fd fd fd fd
0x1fe310ef55f0: fd fd fd fd fd fd fd fd
=>0x1fe310ef55f8: fd fd fd fd fd fd fd fd
0x1fe310ef5600: fa fa fa fa fa fa fa fa
0x1fe310ef5608: fa fa fa fa fa fa fa fa
0x1fe310ef5610: 00 00 00 00 00 00 00 00
0x1fe310ef5618: 00 00 00 00 00 00 00 00

@Whiteknight Whiteknight was assigned
@Whiteknight Whiteknight closed this issue from a commit
@Whiteknight Whiteknight Add a new Parrot_x_execute_on_exit_handlers to call exit handlers. Us…
…e that in the embedding API to fix an error where we were destroying the interp before attempting to call these handlers. This *should* fix #765
0b7ccce
@Whiteknight Whiteknight reopened this
@rurban
Collaborator

heap-use-after-free in interp->exit_handler_list = NULL still present, just now in Parrot_x_execute_on_exit_handlers()

$ ./parrot --leak-test first.pir 2>log.first
$ asan_symbolize.py < log.first

==30373== ERROR: AddressSanitizer heap-use-after-free on address 0x7faddba83fa0 at pc 0x7faddfa1088a bp 0x7fffff76d110 sp 0x7fffff76d108
WRITE of size 8 at 0x7faddba83fa0 thread T0
#0 0x7faddfa1088a in Parrot_x_execute_on_exit_handlers /home/rurban/Perl/parrot/build-d-asan/src/exit.c:137
#1 0x7faddf9c8740 in Parrot_api_destroy_interpreter /home/rurban/Perl/parrot/build-d-asan/src/embed/api.c:322
#2 0x407086 in main /home/rurban/Perl/parrot/build-d-asan/frontend/parrot2/main.c:176
#3 0x7faddc3f1ead in __libc_start_main /home/aurel32/eglibc/eglibc-2.13/csu/libc-start.c:260
0x7faddba83fa0 is located 288 bytes inside of 384-byte region [0x7faddba83e80,0x7faddba84000)
freed by thread T0 here:
previously allocated by thread T0 here:
==30373== ABORTING
Stats: 1M malloced (1M for red zones) by 1563 calls
Stats: 0M realloced by 82 calls
Stats: 0M freed by 474 calls
Stats: 0M really freed by 0 calls
Stats: 44M (11271 full pages) mmaped in 11 calls
mmaps by size class: 8:16383; 9:8191; 10:4095; 11:2047; 12:1024; 13:512; 14:256; 15:128; 16:64; 17:32; 18:16;
mallocs by size class: 8:1147; 9:20; 10:17; 11:204; 12:57; 13:111; 14:2; 15:1; 16:1; 17:1; 18:2;
frees by size class: 8:230; 9:10; 10:7; 11:190; 12:30; 13:4; 15:1; 16:1; 17:1;
rfrees by size class:
Stats: malloc large: 3 small slow: 21
Shadow byte and word:
0x1ff5bb7507f4: fd
0x1ff5bb7507f0: fd fd fd fd fd fd fd fd
More shadow bytes:
0x1ff5bb7507d0: fd fd fd fd fd fd fd fd
0x1ff5bb7507d8: fd fd fd fd fd fd fd fd
0x1ff5bb7507e0: fd fd fd fd fd fd fd fd
0x1ff5bb7507e8: fd fd fd fd fd fd fd fd
=>0x1ff5bb7507f0: fd fd fd fd fd fd fd fd
0x1ff5bb7507f8: fd fd fd fd fd fd fd fd
0x1ff5bb750800: fa fa fa fa fa fa fa fa
0x1ff5bb750808: fa fa fa fa fa fa fa fa
0x1ff5bb750810: 00 00 00 00 00 00 00 00

I silenced the failing --leak-test with
PARROT_NO_ADDRESS_SAFETY_ANALYSIS
on Parrot_x_execute_on_exit_handlers()

@Benabik Benabik reopened this
@rurban rurban referenced this issue from a commit
@rurban rurban Mark --leak-test to be skipped with AddressSanitizer
See issue GH #765. interp can be already freed, but avoid checking it for now.
7600c8f
@jkeenan
Owner

Re-opening due to new test failure in file touched by commits apparently related to this ticket:

$ prove -v t/run/options.t 
t/run/options.t .. 
1..35
ok 1 - Start of help message
# ...
ok 26 - -r option <"./parrot" -D 8 -R slow "/tmp/8VxGioq5Az.pir" 2>&1>
illegal argument in Parrot_interp_info
current instr.: '__show_runtime_prefix_and_exit' pc 701 (frontend/parrot2/prt0.pir:267)
not ok 27 - --runtime-prefix

#   Failed test '--runtime-prefix'
#   at t/run/options.t line 96.
#                   ''
#     doesn't match '(?^:^.+$)'
ok 28 - --gc-dynamic-threshold needs argument warning
# ...
# Looks like you failed 1 test of 35.
Dubious, test returned 1 (wstat 256, 0x100)
Failed 1/35 subtests 

Test Summary Report
-------------------
t/run/options.t (Wstat: 256 Tests: 35 Failed: 1)
  Failed test:  27
  Non-zero exit status: 1
Files=1, Tests=35,  0 wallclock secs ( 0.03 usr  0.01 sys +  0.31 cusr  0.17 csys =  0.52 CPU)
Result: FAIL

Can someone investigate? Thanks.

@rurban
Collaborator

Hopefully fixed with 2162db6
exit via exception fooled the old logic.
Now set and check for interp->final_exception, similar to the already_dying logic in issue #816.

@rurban rurban closed this
@Whiteknight Whiteknight removed their assignment
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.